Summit 7 Blogs

Is My MSP Ready for CMMC?

Written by Brad Shannon | Apr 12, 2024 3:05:05 PM

With the CMMC final rule imminent (late 2024 or early 2025), every Managed Services Provider (MSP) that serves the Defense Industrial Base (DIB) is faced with some tough decisions. To 'play ball' in the DIB, MSPs will need to get CMMC certified at the same level their clients will be.

[Excerpt from the CMMC rule]

To do this, MSPs are, or should be, preparing their systems, agreements, pricing, and much more to align with the requirements of the proposed rule.

In this blog post we will explore what you will need to ask your current MSP to ensure you are ready for CMMC.

We’ll cover the following exciting topics: 

  • How does CMMC affect MSPs? 
  • Is my MSP in scope for CMMC? 
  • What about subcontractors and non-US persons? 
  • Do MSPs have to be FedRAMP authorized?
  • What questions can I use to interrogate…I mean query my MSP? 

How does CMMC affect MSPs (Managed Service Providers)?

MSPs will need to get certified at either CMMC Level 2 or 3, but if you search the proposed rule for "MSP" or "Managed Services Provider", you won't find it mentioned anywhere. Why?

Well, because the DoD needed more acronyms and decided to use a new term: the External Services Provider (ESP).

It makes sense if you think about it, because that term covers a very broad spectrum of external companies or services your company may use, like cloud services (Microsoft 365, Azure, AWS) or contractors that need access to your FCI or CUI to complete their tasks.

Another spicy meatball is “Shared Services” in organizations like Private Equity firms and Universities that might be considered in-scope, even if they are internal to the overall organization.

Many MSPs outsource services, systems, or personnel to 3rd parties, and this is very important to know. Every company they outsource to may need to get CMMC certified and then every company they outsource to and so on and so on.

You've heard the saying "💩 Rolls Downhill?" Well, in the CMMC world, that "stuff" rolls uphill.

If you're bidding on a contract as a Prime, then you must have an active CMMC certification at the appropriate level at time of award. But – and here's the kicker – every subcontractor you use to execute, service, or support that contract must also be CMMC certified at the appropriate level, and that starts at the lowest level.

If you have 10 subcontractors, at any level, then you are responsible for ensuring that those 10 subcontractors have the appropriate CMMC certification for the flow downs they will receive.

Considering it takes 12-18 months to prepare for and achieve certification, you're looking at…a very long time before you can even think about bidding on contracts.

So, if your MSP outsources to other companies, what is their plan to handle this?

Do MSPs need to work with all-US persons for CMMC?

Speaking of who has access to your data, does that include any Non-US Persons? Non-US Persons cannot access ITAR without extensive legal work.

In my previous role at a DIB company, I dealt with non-US persons a lot. Many of our subcontractors were foreign and there was a lot of legal "stuff" (ie. TAA, NDAs, etc.) that had to be put in place before they could access systems and data. This caused a lot of overhead, and it was painful at times.

In the case of MSPs, not only would all their non-US persons need to go through this legal "stuff" for every one of your contracts, but every company they outsource to would have to do the same. The overhead this can create can be a huge headache for any MSP to manage.

Do MSPs have to be FedRAMP authorized?

One of everyone's favorite topic (besides FIPS) is FedRAMP. Talk about an exciting discussion, right? I'm sorry to say, we must talk about FedRAMP regarding MSPs too.

If your MSP is using a cloud service to support you then that SaaS service must be FedRAMP Moderate or equivalent.

There are very few SaaS products out there for each category, so this limits what your MSP can use. If they aren't already using all FedRAMP'd products, then what is the likelihood that they will rip out and replace systems they are using to support all their other clients just for you or the small number of DIB clients they already have?

I've covered a lot of information and scenarios so far, so what's the TL;DR?

Here are some key questions you should ask yourself or consider regarding your existing MSP:

1. Will my MSP achieve the appropriate CMMC level that I anticipate needing? 
2. What is my MSP’s timeline?
3. Does my MSP have a Shared Responsibilities Matrix (SRM)?

1. If so, this is a good sign they are taking things seriously. 
2. What cloud providers does my MSP use? Have they verified each cloud provider’s compliance (ie. FedRAMP Mod or equivalent)?
3. Does the SRM mention any outsourced support? 

4. Does my MSP support enough DIB clients to make financial sense for them to continue supporting me?
5. Will the cost of the MSP’s service to me increase? If so, how much? 
6. Are there any non-US persons used in the MSP’s service or support to me? 
7. Can the MSP support me in the event of a JSVA audit or a CMMC assessment? 
8. Am I in a contract now?

1. What does it say about compliance or NIST 800-171? 
2. Can I terminate due to regulatory requirements? 
3. If not, when is my renewal?  

If you're still reading, then congratulations and thank you. This is a complicated and difficult journey.

Companies in the DIB have many hard decisions to make if they want to continue servicing the DoD, and MSPs (er, ESPs) are just one of them.

Luckily, Summit 7 has solved every one of these problems and are more than prepared to service your needs. If you have made it to this point and have decided you need to change MSPs, or maybe you need to start using one, then please reach out in the form below. Operators are standing by!